[throw149102]

Lots of people are mentioning that you can host these types of things yourself, I want to say that that is not a solution at all.

The entire point of these hosted password services is that they are a turnkey solution - I could give them to my mom, who knows nothing about technology, and trust that they work. I like using a turnkey solution myself even though I could self-host because I don't want to spend brain cycles on solving the "syncing passwords across multiple devices" issue.

I don't quite understand why Bitwarden even needs to have you login in order to access the passwords. Surely you could just have the salted+hashed passwords on device, and Bitwarden just syncs that data from device to device. If you work in an organization and need to revoke access, just change the password. No need to manage whether or not someone is logged in to Bitwarden.

[throw149102]

Also re: the comparisons to AWS or Google Cloud - it's still totally different. This is more like your car being unable to start because it can't connect to the cloud. I don't expect that driving my car needs internet access, and I wouldn't expect Bitwarden needs internet access to serve me my passwords that have already been synced.

[OJFord]

You have to log in to the extension to unlock passwords every so often though right, more than once per browser session? Presumably that's server-authenticated, and what broke here.

[Schroedingersat]

There's no reason for that to involve a remote server.

You have the local encrypted database.

You have the key.

Opening your front door doesn't require a trip down to the hardware store whe$e you brought it.

[OJFord]

True, but if you go down that route there's no reason for a remote server at all. (Cf. pass.) I was just suggesting what seems to me a likely cause, since everyone was talking about 'phoning home' and 'remote disabling' as though it was intentional or more dodgy.

[Schroedingersat]

The remote server provides backup and sync in a convenient format which will lead to more people using password managers.

When it's down you only need to lose backup and sync.

Refusing to unlock your local database because it made some check on the backup and sync server is precisely remote disabling and is a great reason to transition off of bitwarden as it is a pretty good sign of them testing the waters for vendor lockin.

[secabeen]

I think this is the flip-side. They want to support remote wipe, which means they can pull access.

[cycomanic]

I don't understand that argument. Using Dropbox or any other synchronisation service keepass (keepassxc on desktop/laptoo and keepass android on phone) works completely seamless. I wouldn't even notice that I am not using an online service.